Disclaimer

NeCoders shall not be held responsible for any cases of software/files being hacked due to the information provided in this article.

General Overview

I always believe Security is the number 1 priority in building a good software. I have been trying to make sure that security issues are considered during my design stage. But the problems with current students in tertiary education is that I can say most of them never actually consider security as a real issue. They tend to focus more on the system's features and GUI. Lecturers also hardly pay attention or encourage students to place higher security measures into their projects, which I think is something not appropriate at all.

Why should we be aware of security?

1st Scenario :

In my current smart card company, most of the information stored within our SDK are highly confidential. We do not want our SDK to be manipulated by our competitors.

2nd Scenario :

You took a year to write a software and in the process consumed a lot of resources and time for its development. Then you sell your software, you find that all your hard work in past 12 months were easily manipulated. Therefore, steps must be taken to ensure this does not happen.

3rd Scenario :

One day, my manager came to me and asked me this question.

Questions: Are .NET assemblies that secure?

Answer: Nothing is secure, but all we can do is to try to make things harder for a hacker.

Then he gave me this reply; I thought .NET is supposed to be more secure. That is why we move into Microsoft .NET. He was total upset when I showed him the .NET Reflector program by Lutz Roeder which you can decompile your binaries back to C# source code. Below is an example of how it looks like.

The Demonstration

4th Scenario :

Back in 1990s, you may have noticed that some shareware programs implements this kind of verification technique. When you install the software, it will create a key in the Windows registry. Basically what it does, is stores the serial number inside the registry as either a plain text or encrypted version. Yes, I have seen people placing plain text in registry. So when your program runs, it will check the registry to verify the existence that particular key. If you have a wrong serial number or that particular key is not there, it will prompt you an error. Right now I will try to simulate this verification technique in C# step by step.

18. Now I am thinking hard how to break this licensing technique. This is the fun part and hope you will like it. Right now, no matter how you run your C# windows form, it will prompt you the same error “Please acquire a license to run this!”. Please bear this in mind.

Note: There is no difference in breaking a Debug or Release mode assemblies.

References

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

Comments and Discussions

hi,
I know assemblies could be cracked, even native win32 are not really secure, but it takes a lot of effort to crack them and I say that if someone spends the amount of time to crack native win32 apps...he/she deserves it:p but .NET makes it so very simple. Its insane actually. I'd like to see MS using .NET to make their own apps. anyways...what I'd like to know is... how can i protect my .NET code from being opened in a reflector like tool without an obfuscator or any other third party tool for that matter, I want to use pure .NET.. some attribute in .NET? or some compiler switches? or anything.